I want to find out if there is a way to disable unauthenticated access
to the IPC$ share in an effort to remediate the /sarcasm dreaded "Null
Session" vulnerability. Steps I have all ready taken and the results:
The test system was W2K3
The system I connected from was my desktop WinXP on the same domain
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
RebootFrom my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS,
LLSRPC“ (took out browser)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “ (took out all entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “ (tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\AllowedPipes = “Netlogon, lsarpc, samr, srvsvc,
wkssvc” (left out BROWSER)
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC,
BROWSER“
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\PipeFirewallActive = 1
Add new key HKLM\System\currentcontrolset\services\lanmanserve r
\parameters\AllowedPipes = “ ” (took out all entries)
Change HKLM\System\currentcontrolset\control\lsa\restrict anonymous = 1
(tried 1 and 2)
Add new key HKLM\System\currentcontrolset\control
\TurnOffAnonymousBlock = 0 (tried with and without)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionPipes = “ “(tried with and without entries)
HKLM\System\currentcontrolset\services\lanmanserve r\parameters
\NullSessionShares = “COMCFG, DFS$ “ (tried with and without entries)
Reboot
From my desktop -> net use \\<server-name>\IPC$ /u:”” “”
Result = Successful
I had a thought that maybe these settings were getting changed back
after reboots by the local security policy, so I ran through a number
of these tests again, and added a step after reboots to check the
local security policy to ensure they were not getting changed.
After doing all of these tests, I tested again with the <server-name>
server and I connected FROM a machine that is not on the domain, to
make sure there was not a GPO, or some kind of domain trust playing
into this. The results of these tests were the same.
and just to clarify i had RestrictNullSessAccess = 1
and i tried this:
found here -
http://social.technet.microsoft.com/...8-be7270f92e2b
There are 6 policies listed below that controls what information can
be accessed anonymously. These policies are located in local group
policy editor under Computer Configuration\Windows Settings
\SecuritySettings\Local Policies\SecurityOptions.
1. Network access: Allow anonymous SID/Name translation
2. Network access: Do not allow anonymous enumeration of SAM
accounts
3. Network access: Do not allow anonymous enumeration of SAM
accounts and shares
4. Network access: Let Everyone permissions apply to anonymous
users
5. Network access: Named Pipes that can be accessed anonymously
6. Network access: Shares that can be accessed anonymously
In order to completely disable anonymous logons, you can disable
policy 1 and 4, enable policy 2 and 3, and specifying empty lists for
policy 5 and 6.
I CANNOT GET THE SERVER TO STOP ALLOWING ANONYMOUS CONNECTIONS TO IPC$
OR TO -\\<server>\-
Links to MS articles:
RestrictAnonymous (server 2003)-
http://technet.microsoft.com/en-us/l...67(WS.10).aspx
Named Pipes Firewall (server 2003) -
http://support.microsoft.com/kb/925890
TurnOffAnonymousBlock -
http://social.technet.microsoft.com/...d-7925106107b7
RestrictNullSessAccess -
http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
Is this a lost cause?
What am I missing?
IS there even a way to completely disable unauthenticated access to IPC
$???
i already know about monitoring with IDS/IPS and I can block access
with firewalls.... blah... blah... blah... BUT outside of that, is
there a way, either through local security policy / registry / GPO /
<insert compensating control here> - to restrict this?
please advise....
Similar Threads
Linear Mode
